Privacy and Information Security In the News -- Week of October 24, 2005

October 24, 2005

Data Breach in Georgia

In April 2005, an employee at the Georgia Technological Authority, the state’s chief data agency, noticed that a programmer had logged in after hours to a data system that he was no longer authorized to access. The programmer was fired and charged with criminal trespass, and law enforcement officials confiscated three computers from his home. When they scanned those computers, officials found sensitive records regarding 465,000 Georgia drivers and state employees that had been downloaded in 2002. Last week, the state began sending letters to the affected individuals. About half of the data was drivers license information. The other portion included the names and social security numbers of participants in the state’s medical insurance plan and their dependents. “State warning 465,000 Georgians of possible identity fraud risk,” http://www.ledger-enquirer.com/mld/ledgerenquirer/news/local/12962890.htm.

New FCC Wiretap Regulations Require Colleges to Restructure Internet Networks

Sunday’s New York Times included an article regarding the impact of new FCC regulations on colleges and universities. Those regulations will require colleges and universities to structure their Internet networks in a fashion that would permit federal law enforcement authorities to execute a wiretap order. According to the article, colleges and universities will be required to direct all communications coming into and going out of the network through a central point at which a wiretap could be applied. The Times says estimates of the cost to colleges and universities to comply go as high as $7 billion. The regulations give them 18 months to comply. “Colleges and universities have filed suit to challenge “Colleges Protest Call to Upgrade Online Systems,” http://www.nytimes.com/2005/10/23/technology/23college.html?hp&ex=1130040000&en=82e2a961640ae05b&ei=5094&partner=homepage

The regulations apply not only to colleges and universities but also to any library, airport, that offers wireless Internet access to customers, and to municipalities that offer wireless access to residents. Several cities around the country, including Philadelphia, San Francisco, and Grand Rapids, Michigan, are working to develop city-wide wireless networks. For a related story see, “FCC Wiretap Order Threatens p2p Internet Telephony,” In the News, October 21, 2005.

Identify Thieves Target Student Aid

MarketWatch is running a story discussing how identity thieves are increasingly targeting student aid loan funds. The U.S. Department of Education annually disburses $70 billion in student aid. So it should not be too surprising that the fund would attract thieves. Thieves are aided by the Internet, which allows them to apply for financial aid and enroll online at schools around the country. “An education in identity theft: Crooks target college aid money, hitting consumers twice,” http://www.marketwatch.com/news/story.asp?guid=%7B15689E88%2D6320%2D4E8D%2D8474%2D764C65821751%7D&dist=rss&siteid=mktw

Appeals Court Reverses Order Shutting Down Interior Department Systems

On Friday, a federal Court of Appeals lifted a District Court order issued earlier in the week that would have required the United States Department of the Interior to shut down all computer systems that allow access to data regarding accounts it manages for Native American. The District Court had entered the order after concluding that the department’s computer security was so lax as to allow hackers to access and manipulate account information. In seeking to have the District Court order overturned, the Interior Department argued that there was no evidence that the accounts had been accessed nor was there any proof that the damage would be irreparable if unauthorized access occurred. “Court lets Interior Department keep computers online,” http://www.miami.com/mld/mercurynews/business/technology/12965057.htm?source=rss&channel=mercurynews_technology

October 25, 2005

National Health Information Network to Use Peer-to-Peer Sharing to Protect Medical Information

BusinessWeek Online has two articles that describe how the government plans to protect the confidentiality of electronic medical records of millions of Americans contained in the National Health Information Network (“NHIN”). According to BusinessWeek, the data will remain on the computers where they are stored and will be accessed using peer-to-peer sharing software similar to that used by music sharing services like Napster. By avoiding building a single database, the government hopes to reduce the likelihood that one’s entire medical information could be hacked. “Protecting Patients' Privacy,” http://www.businessweek.com/magazine/content/05_44/b3957118.htm?chan=tc?campaign_id=rss_tech

For a portrait of the administration’s health-technology czar, see “This Man Wants To Heal Health Care,” http://www.businessweek.com/magazine/content/05_44/b3957113.htm

Putting Identity Fraud in Perspective

CNET News has an article that attempts to bring some perspective to concerns about the risk of identity theft. “Separating Myth from Reality of Identity Theft,” http://news.com.com/Separating+myth+from+reality+in+ID+theft/2009-1029_3-5906818.html?tag=cd.lede. The article maintains that media reports have created misinformation and confusion and cites facts and figures, such as the following, that suggest that the concerns are overblown:

• Only 12 percent of identity fraud cases in 2004 originated because the victim was online, while 63 percent were unrelated to Internet activity.
• Online victims discover the fraud more quickly and have lower losses than other victims.
• Nearly two-thirds of what is reported as identity theft is simply credit card fraud for which cardholders have limited liability under federal law.
• According to Visa, only 2 percent of credit cards accounts that are compromised are used fraudulently.
• Identity fraud is no longer the fastest growing crime in the United States (but is not yet showing signs of decreasing).

For a variety of perspectives on the threat from identity theft, see “ID Theft Roundtable,” http://news.com.com/2009-1029-5907186.html.

GAO Report Says E-Voting Systems Fail Security and Reliability Standards

A report issued Friday by the General Accounting Office says there is a risk that state and local jurisdictions will rely upon e-voting systems that fail to meet rigorous security and reliability standards because of the failure of the federal government to complete work on electronic voting guidelines. The responsibility for developing those guidelines belongs to the U.S. Election Assistance Commission (“EAC”), which Congress created in 2002. In response to the GAO report, the EAC noted that vendors and state and local election officials bear some of the responsibility for failing to achieve proposed voluntary voting system guidelines. “GAO Questions Progress On E-Voting Standards,” http://www.computerworld.com/governmenttopics/government/story/0,10801,105684,00.html

Update: Lawsuits Follow Publication of FCC Regulations on Wiretapping

The last two issues of In the News linked to articles on newly published regulations that require colleges, universities, VoIP providers, libraries, airports, municipalities, and others who operate Internet networks to make their networks accessible to wiretaps by law enforcement officials seeking to eavesdrop on communications over the network. (See, “New FCC Wiretap Regulations Require Colleges to Restructure Internet Network,” In the News, October 25, 2005 and “FCC Wiretap Order Threatens p2p Internet Telephony,” In the News, October 21, 2005.) Late on Monday, the American Counsel on Education filed a lawsuit to overturn the new FCC regulations. Later today, a group of businesses and nonprofit groups is expected to file an additional lawsuit. “FBI Net-wiretapping rules face challenges,” http://news.com.com/FBI+Net-wiretapping+rules+face+challenges/2100-1028_3-5911676.html?tag=nefd.lede

October 26, 2005

Documents Point to Surveillance Violations by FBI

The Washington Post reports that the FBI has committed hundreds of violations of Justice Department guidelines governing the conduct of clandestine surveillance in the United States. According to internal documents obtained by the Post, the errors involved unauthorized searches and seizures, and the failure to complete paperwork that would enable the FBI to properly supervise the surveillance. An FBI spokesperson said that none of the violations was a major violation and most were merely administrative. The disclosures come as Congress is debating whether to put stricter limits on surveillance authority included in the USA PATRIOT Act. “FBI Papers Indicate Intelligence Violations,” http://www.washingtonpost.com/wp-dyn/content/article/2005/10/23/AR2005102301352.html

Can You Find Me Now?

BusinessWeek reports that more than 4 million Koreans have subscribed to a service that allows others to use the signal from a subscriber’s cellphone to determine the subscriber’s location. The program is popular with parents who want to track the movements of their children and with others who want to keep in touch with their friends and family. The Korean National Assembly has enacted a law requiring companies to be licensed to offer the service and to disclose information only as authorized by the subscriber. “’Working Late’ Won't Work Anymore,“ http://www.businessweek.com/@@X2pN5YUQx6*sihgA/magazine/content/05_44/b3957069.htm

Incentives Urged to Encourage Adoption of Nationwide Electronic Health Records

InformationWeek reports that the Commission on System Interoperability, an advisory panel created under the Medicare Modernization Act of 2003, has issued a report recommending steps it believes are necessary to create a secure nationwide system for sharing medical information. Among the recommendations is that the federal government, insurers and employers should offer incentives to health care providers to get them to adopt electronic recordkeeping. The report also recommends that the Department of Health and Human Services should support the creation of a single entity to certify that health IT products meet interoperability standards. “Feds Need To Push Financial Incentives, Standards, Security For Nationwide Health-Care IT To Take Off, Says Report,” http://informationweek.com/story/showArticle.jhtml?articleID=172900279.

Michigan’s Kids Do Not E-mail Law Not Yet Enforced

According to a report in the Detroit Free Press, Michigan’s Children’s Protection Registry Act has done little to stop companies from sending inappropriate e-mail messages to children. Adopted earlier this year, the statute allows parents to put their minor children on a do-not-email list. So far the 3,000 parents and 27 school districts have signed children up. But the state has yet to begin enforcing the act, while the state legislature works on amendments. “E-mail law upsets parents: Indecent messages still reach children,” http://www.freep.com/money/business/childads25e_20051025.htm

RFID Chips To Be In U.S. Passports

Paying little heed to overwhelmingly negative comments to its proposal, the State Department has issued regulations that require each U.S. passport issued beginning October 2006 to include a radio frequency ID (“RFID”) chip that transmits personal information about the passport’s holder. The information will include the name, nationality, sex, birth date, birthplace, and a digitized picture of the holder. Over ninety-eight percent of the people who commented on the proposed regulations criticized the effort, principally based on security and privacy issues. Some had expressed concern that RFID chips would enable terrorists to scan crowds to identify American’s traveling abroad. The State Department says the passports will be outfitted with antiskimming material that will “mitigate” the chance that information from the passports could be scanned from a distance. In addition, each passport will include two cryptographic keys that the RFID chip will use to authenticate an official reader before releasing its information. “Passports to get RFID chip implants,” http://news.zdnet.com/Passports+to+get+RFID+chip+implants/2100-1009_22-5913644.html

In a related story, beginning tomorrow, the United States will require travelers from the European Union who wish to enter the U.S. without a visa to have a passport that includes a digital photograph of the passport holder. The digital photo requirement is stop gap until the next October when the United States will require foreign passports to include information on an RFID chip, similar to those that will be issued by the United States. “Italians and French may need US visas from this week,” http://www.washingtonpost.com/wp-dyn/content/article/2005/10/25/AR2005102501075.html

Audio Update: Colleges and Libraries Challenge Wiretap Rules

NPR’s All Things Considered has a report on the legal challenges raised by colleges and libraries to the FCC’s new rules requiring them to redesign their Internet networks to enable the FBI, pursuant to a warrant, to tap into the network through a single point of access from a remote location. The plaintiffs complain that complying with the new rules will cost millions of dollars and amount to an unfunded mandate. “Internet Surveillance Expands to Schools, Libraries,” http://www.npr.org/templates/story/story.php?storyId=4974291&ft=1&f=2

October 27, 2005

Survey Shows Internet Users Shopping Less on Line

Consumer Reports commissioned a survey of 1,501 Internet users to determine how their attitudes toward security had changed their usage patterns. “Leap of Faith: Using the Internet Despite the Dangers,” http://www.consumerwebwatch.org/dynamic/web-credibility-reports-princeton.cfm. Among the findings: 25 percent say they have stopped shopping on line and 29 percent of those who still shop on line say they have cut back on how often they make Internet purchases. Banking sites fare better with users. Sixty-eight percent of survey respondents said they trust banking sites in general, although only 36 percent said they trust mortgage or loan sites. The detailed 42-page report can be found at http://www.consumerwebwatch.org/pdfs/princeton.pdf.

U.K. Survey Concludes Users Doing Little to Protect Themselves

Meanwhile, across the pond, a survey of 1,000 in the United Kingdom found that 83 percent were not taking appropriate steps to surf the net securely and 53 percent said they did not know what to do to be more secure. Of those interviewed, 85 percent thought that cybercrime was not their problem. Nearly half said business should be responsible for protecting them against cybercrime and 11 percent saw it as government’s responsibility. “Net users told to get safe online,” http://news.bbc.co.uk/1/hi/technology/4378186.stm.

German Agency Issues VoIP Warning

The German Federal Office for Security in Information Technology has issued a security warning regarding voice over internet protocol (“VoIP”) services, saying it has identified 19 varieties of attacks on VoIP systems. The attacks create a threat of identity theft, data manipulation, and transmission and billing errors. The office also found that VoIP opened systems to malware, such as viruses, worms and Trojan horses. The office encouraged companies that plan to their VoIP and their data networks to protect the data network. “German security agency warns of VoIP security risks,” http://www.computerworld.com/securitytopics/security/story/0,10801,105728,00.html.

October 28, 2005

FBI Attempt to Track Suspects Using Cell Phones Rejected

The FBI was rebuffed twice in the last month when seeking a court order authorizing it to require cell phone companies to provide real-time information regarding the location of a cell phone to enable the FBI to track a suspect under surveillance. Two judges concluded that the FBI needed to – but couldn’t – establish probable cause to justify an order. The government argued that, under a federal statute known as the Pen/Trap Statute, it needed only to certify that “the information likely to be obtained is relevant to an ongoing criminal investigation.” The judges allowed the FBI to obtain cell phone usage records under this lower standard but determined that before a real-time feed of cell phone locations could be ordered, the FBI had to show probable cause that a crime had been or was about to be committed. Both judges rules that the FBI had failed to do that. “U.S. Cell Phone Tracking Clipped,” http://www.wired.com/news/technology/0,1282,69390,00.html; “FBI Dealt Setback on Cellular Surveillance,” http://www.washingtonpost.com/wp-dyn/content/article/2005/10/27/AR2005102702109.html

Mortgage Lenders Urged to Address Security Concerns

Yesterday’s In the News, included a link to a survey that reported that, while 68% of survey respondents said they trust banking sites in general, only 36% said they trust mortgage or loan sites. Coincidentally – or perhaps not – the Mortgage Bankers Association issued a whitepaper on Wednesday encouraging its members to adopt a five step program to improve data security. “Protecting Personal Information: The Good, the Bad, the Ugly,” http://www.mortgagebankers.org/news/index.cfm?STRING=http://www.mortgagebankers.org/news/2005/pr1026e.html.

Check Imaging Seen as Boon to Check Forgers

The American Banker reports that he practice of imaging checks and storing those images online for customers has raised concern that the online databases will be a treasure trove for check forgers and identity thieves. In the article, Avivah Litan, a security consultant with Gartner Inc., says banks have underestimated the risk from digital imaging. "Crooks come in to look at your imaged checks to see what your signature's like,” she says, “[t]hey study the checks, and then they copy the checks." Frank Abignale, who has made a career out of forgery and false identities, on both sides of the law (see “Catch Me if You Can,” http://www.imdb.com/title/tt0264464/), says, “"What I did 40 years ago is now 4,000 times easier to do today." “The Tech Scene: Check Images A New Frontier For Forgery?,” http://www.americanbanker.com/article.html?id=20051025EKPL88CY&from=technology (subscription required).

This message is provided by the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP to advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.

Warner Norcross & Judd LLP (www.wnj.com) is a full service law firm with four offices in Michigan. Our Privacy and Information Security Taskforce includes lawyers from across the firm’s practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP, e-mail Rodney Martin at or write him at Warner Norcross & Judd LLP, 111 Lyon Street NW, Grand Rapids, MI 49506.

"Privacy and Information Security In the News" is a free publication of Warner Norcross & Judd LLP and its Privacy and Information Security Taskforce. You can choose to receive it either daily (usually by 9 a.m. each weekday) or weekly (usually by 9.a.m. on Friday morning). If you would like to receive this publication, please respond to this e-mail and let us know the frequency at which you would like to receive it. If there are others in your organization who should receive "In the News," either include their names and e-mail addresses in your message or forward this message to them so they can respond.

Should you ever wish to stop receiving "In the News," simply to send us an email message and we will remove your name from the subscription list. Rest assured that we will not sell your contact information or share it with anyone outside our firm.